Professional Documents
Culture Documents
Concern Process/Knowledge
Medium One of the three qualities is compensating, but the others are not. The threat is perhaps not very
motivated or not sufficiently capable, the controls in place might be reasonably strong, or the
vulnerability might be not very severe.
Low Two or more of the three qualities are compensating. The threat might lack motivation or capability;
strong controls might be in place to prevent, or at least significantly impede, the vulnerability from
being exploited; and the vulnerability might have a very low impact.
Risk Impact Determination
• discusses three aspects of risk impact determination:
• identifying the threatened assets: Common impacts on information assets
include loss of data, corruption of data, unauthorized or unaudited
modification of data, unavailability of data, corruption of audit trails, and
insertion of invalid data.
• identifying business impact: Examples of business impacts include loss of
market share, loss of reputation, depreciation of stock value, fines, legal fees
and judgments, costs of technical remediation, and theft.
• determining impact locality
RISK EXPOSURE STATEMENT
• The risk exposure statement combines the likelihood of a risk with the
impact of that risk.
• The product of these two analyses provides the overall summary of
risk exposure for the organization for each risk.
Risk Exposure Calculation Matrix
Risk Mitigation Planning
• Mitigation of a risk entails changing the architecture of the software
or the business in one or more ways to reduce the likelihood or the
impact of the risk.
• Formal and informal testing, such as penetration testing, may be used
to test the effectiveness of these mitigation measures.
Software Security Knowledge for
Architecture and Design: Security
Principles, Security Guidelines, and Attack
Pattern
Security Principles
• Security principles are the foundational tenets of the software
security domain.
• They are long-standing, universal statements of how to build software
the right way if security is a concern (which it always is).
• These principles represent the experiential knowledge of the most
respected thought leaders and practitioners in the field of software
security.
• By leveraging them, your team gains access to the scalable wisdom
necessary for assessing and mitigating the security risk posed by your
software’s architecture and design.
Security Principles
• Security principles are a set of high-level practices derived from real-world experience that can
help guide software developers (software architects and designers in particular) in building more
secure software.
• THE PRINCIPLES FOR SOFTWARE SECURITY
• Least privilege
• Failing securely
• Securing the weakest link
• Defense in depth
• Separation of privilege
• Economy of mechanism
• Least common mechanism
• Reluctance to trust
• Never assuming that your secrets are safe
• Complete mediation
• Psychological acceptability
• Promoting privacy
1. The Principle of Least Privilege:
• Only the minimum necessary rights should be assigned to a subject that requests access to a resource and
should be in effect for the shortest duration necessary (remember to relinquish privileges).
• Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to
obtain or change information in unwanted ways
2. The Principle of Failing Securely:
• secure defaults (the default is to deny access); on failure, undo changes and restore the system to a secure
state; always check return values for failure; and in conditional code/filters, make sure that a default case is
present that does the right thing
• During a failure, attackers must not be permitted to gain access rights to privileged objects that are normally
inaccessible.
3. The Principle of Securing the Weakest Link
• Knowing when the weak spots of a software application have been fortified can indicate to a software vendor
whether the application is secure enough to be released.
4. The Principle of Defense in Depth
• Defending an application with multiple layers can eliminate the existence of a single point of failure that
compromises the security of the application.
5. The Principle of Separation of Privilege
• A system should ensure that multiple conditions are met before it grants permissions to an object
• Compartmentalizing software into separate components that require multiple checks for access can inhibit an
attack or potentially prevent an attacker from taking over an entire system
6. The Principle of Economy of Mechanism
• complexity. If the design, implementation, or security mechanisms are highly complex, then the likelihood that security vulnerabilities
will exist within the system increases
7. The Principle of Least Common Mechanism
• Avoid having multiple subjects share those mechanisms that grant access to a resource
• A different mechanism (or instantiation of a mechanism) for each subject or class of subjects can provide flexibility of access control
among various users and prevent potential security violations that would otherwise occur if only one mechanism were implemented
8. The Principle of Reluctance to Trust
• When building an application, software engineers should anticipate malformed input from unknown users.
• the interface between two systems should be secured.
• Minimizing the trust in other systems can increase the security of your application.
9. The Principle of Never Assuming That Your Secrets Are Safe
• You should always assume that an attacker can obtain enough information about your system to launch an attack.
• For example, tools such as decompilers and disassemblers may allow attackers to obtain sensitive information that may be stored in
binary files.
• Using real protection mechanisms to secure sensitive information should be the ultimate means of protecting your secrets.
10. The Principle of Complete Mediation
• A software system that requires access checks to an object each time a subject requests access, especially for security-critical objects,
decreases the chances that the system will mistakenly give elevated permissions to that subject.
11. The Principle of Psychological Acceptability
• Accessibility to resources should not be inhibited by security mechanisms.
• If security mechanisms hinder the usability or accessibility of resources, then users may opt to turn off those mechanisms
12. The Principle of Promoting Privacy
• Preventing attackers from accessing private information or obscuring that information can alleviate the risk of information leakage.
Security Guidelines
• Security guidelines represent prescriptive guidance for those software
design-level concerns typically faced by the software development
project team.
• they also can provide an effective checklist of what you may have
failed to do to ensure that your software is both resistant and resilient
to likely attack.
WHAT DO SECURITY GUIDELINES
LOOK LIKE?
• Guideline: Follow the Rules Regarding Concurrency Management
• serious vulnerabilities
• without using appropriate concurrency management mechanisms produces
hard-to-find vulnerabilities
• When multiple threads of control attempt to share the same resource, then
• Deadlock: One or more threads may become permanently blocked.
• Loss of information: Saved information is overwritten by another thread.
• Loss of integrity of information: Information written by multiple threads may be
arbitrarily interlaced.
• Loss of liveness: Imbalance in access to shared resources by competing threads can
cause performance problems.
• Competing “Systems” (Time of Check/Time of Use)
• A common mitigation tactic is to minimize the time interval between check and
use. An even more effective tactic is to use a “check, use, check” pattern that
can often detect concurrency violations, though not prevent them.
• Applicable Context
• All of the following must be true:
• Multiple “systems” must be operating concurrently.
• At least two of those systems must use a shared resource (e.g., file, device, database table row).
• At least one of those systems must use the shared resource in any of the following ways:
• Without using any concurrency control mechanism. This includes the situation where no
such mechanism exists, such as conventional UNIX file systems, causing corruption or
confusion.
• Using the right concurrency control mechanism incorrectly. This includes situations such
as not using a consistent resource locking order across all systems (e.g., in databases),
causing deadlocks.
• Using the wrong concurrency control mechanism (even if it used correctly). This includes
situations where a give resource may support multiple concurrency control mechanisms
that are independent of one another [e.g., UNIX lockf() and flock()], causing corruption or
confusion.
• Competing Threads within a “System” (Races)
• The second largest class of concurrency-related vulnerabilities is generated by
defects in the sharing of resources such as memory, devices, or files.
• design error
• Applicable Context
• All of the following must be true:
• A “system” must have multiple concurrently operating threads of control.
• Two or more of those threads must use a shared data object, device, or other resource.
• At least one thread must use the shared resource without using the appropriate concurrency
control mechanism correctly (or at all).
3 None Loss of integrity of information: Information written by multiple threads may be arbitrarily
interlaced.
4 None Loss of liveness: Imbalance in access to shared resources by competing threads can cause
performance problems.
• Security Policies to Be Preserved
• Threads must not deadlock.
• Information must not be lost.
• Information must not be corrupted.
• Acceptable performance must be maintained.
• How to Recognize This Defect
• Concurrency defects are extremely difficult to recognize. There is no general-
purpose approach to finding them.
Efficacy Mitigation
Low Where no concurrency control mechanism is available, seek to minimize the interval between the time
of check and the time of use. Technically this action does not correct the problem, but it can make the
error much more difficult to exploit.
Infinite The appropriate concurrency control mechanism must be used in the conventional way (assuming
there is one).
Attack Patterns
• attack patterns are another knowledge resource available to the software project
manager.
• Attack patterns, describing common approaches to attacking software, provide one of
the most effective resources for capturing this attacker’s perspective.
• Attack patterns offer a valuable resource during three primary activities of architecture
and design: design and security pattern selection, threat modeling, and attack
resistance.
• One of the key methods for improving the stability, performance, and security of a
software architecture is the leveraging of proven patterns.
• use of attack patterns as an integral part of the threat model.
• attack patterns can be a valuable tool in identifying and characterizing contextually
appropriate attacker perspectives to consider in a red teaming type of approach.
REFERENCE
• SOFTWARE SECURITY ENGINEERING
• BY
• JULIAH ALLEN, SEAN BARNUM, ROBERT J ELLISON, GARY MCGRAW,
NANCY R MEAD
• PEARSON EDUCATION